Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGuido Trentalancia <guido@trentalancia.com>2023-09-13 15:32:31 +0200
committerKenton Groombridge <concord@gentoo.org>2023-10-06 11:26:32 -0400
commitcb143f042e9cfc5141388785bbb9b6e2f4f6c700 (patch)
tree022be0ed68b544a2371cfee5f357ec8dd04f566e
parentFor systemd-hostnamed service to run (diff)
downloadhardened-refpolicy-cb143f042e9cfc5141388785bbb9b6e2f4f6c700.tar.gz
hardened-refpolicy-cb143f042e9cfc5141388785bbb9b6e2f4f6c700.tar.bz2
hardened-refpolicy-cb143f042e9cfc5141388785bbb9b6e2f4f6c700.zip
Fix the recently introduced "logging_syslog_can_network" tunable policy, by including TCP/IP socket creation permissions.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat
-rw-r--r--policy/modules/system/logging.te4
1 files changed, 2 insertions, 2 deletions
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 3cadba881..0b3e75fca 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -408,8 +408,6 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
-allow syslogd_t self:udp_socket create_socket_perms;
-allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
allow syslogd_t syslog_conf_t:dir list_dir_perms;
@@ -583,6 +581,8 @@ ifdef(`distro_ubuntu',`
tunable_policy(`logging_syslog_can_network',`
allow syslogd_t self:capability { net_admin };
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+ allow syslogd_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)